Re: ANNOUNCE: (SECURITY) GDM 2.4.1.6 (stable) and GDM 2.4.2.101 (unstable), the "I 0wn3rz y0ur f1lez" release
- From: Luis Villa <louie ximian com>
- To: gnome-hackers gnome org
- Subject: Re: ANNOUNCE: (SECURITY) GDM 2.4.1.6 (stable) and GDM 2.4.2.101 (unstable), the "I 0wn3rz y0ur f1lez" release
- Date: Wed, 20 Aug 2003 20:19:29 -0400
Speaking as a vendor, it would have been nice if we'd been alerted that
2.4.16 was a security release before this announcement. Is that
something we need to think about formalizing a little bit? Or is it
something we'd formalized ages ago and I didn't know about? :)
Luis
On Wed, 2003-08-20 at 19:40, George wrote:
> WHACKYWHACKYWHACKYWHACK
>
> (If you have no clue what gdm is, skip a few paragraphs down first)
>
> It is time again, yes you guessed it, for a security announcement. After
> some auditing of code I found 3 issues with it, one of them being fairly
> serious. Here are the descriptions and CVE numbers
>
> CAN-2003-0547 which allows any user to read any root readable text file on
> the system by making a symlink from ~/.xsession-errors. This affects all
> GNOME2 versions.
>
> CAN-2003-0548, a crash when chosen host expires. DoS only for XDMCP (XDMCP
> should however be confined to a 'trusted' network anyway). This affects
> all versions from 2.0beta2 forward really.
>
> CAN-2003-0549, a crash if authorization key name is shorter then 18 bytes
> (that is, not MIT-MAGIC-COOKIE-1) DoS only for XDMCP (XDMCP should however be
> confined to a 'trusted' network anyway). This affects all versions that
> had XDMCP. Some distributors shipped a patch at some point which managed
> to fix this though.
>
> Mostly people would be affected by the first one as XDMCP should be off
> by default and if it is on, you should really confine it to a 'trusted'
> network as you can always pretty much DoS an XDMCP server because of the
> way XDMCP works.
>
> On the slightly silly news front, the cookie generation in the devel version
> is now utterly overengineered. The plus side of that is that you should
> really get really REALLY random cookies even on systems with no /dev/random
> and friends and no /proc. Also it now doesn't waste all your kernel entropy
> just for generating a 16 byte cookie.
>
> In addition to auditing code for security problems, and making sure that
> all random bits are really random, I've also done some optimizations,
> mainly in the graphical greeter. This cuts down on the memory usage by
> quite a bit, saving about 6megs for me on the circles theme, plus
> some optimization of CPU usage and disk access. Some utterly useless
> soptimization was also done making the code a few nanoseconds faster.
> The manual has also been updated, including some XDM bashing (as if you
> didn't already know that it so obviously sucks:)
>
> No new longjmp usage, however the following statistic should be of similar
> interest:
>
> devgnome pipina:/gnome/head/cvs/gdm2% grep goto **/*.c | wc -l
> 79
> devgnome pipina:/gnome/head/cvs/gdm2%
>
> And now for the standard part of the release announcement:
>
> GDM is the GNOME Display Manager, it is the little proggie that runs in the
> background, runs your X sessions, presents you with a login box and then
> tells you to piss off because you forgot your password. It does pretty much
> everything that you would want to use xdm for, but doesn't involve as much
> crack. It doesn't use any code from xdm, and has a more paranoid and safer
> design overall. It also includes many features over xdm, the biggest one of
> which is that it is more user friendly, even if your X setup is failing. The
> goal is that users should never, ever have to use the command line to
> customize or troubleshoot gdm. It of course supports xdmcp, and in fact
> extends xdmcp a little bit in places where I thought xdm was lacking (but is
> still compatible with xdm's xdmcp).
>
> News:
> =====
>
> Highlights of 2.4.1.6 (see further for 2.4.2.100 and 2.4.2.101 stuff):
>
> Security issues were not part of original release notes and
> are not present in the NEWS file in the 2.4.1.6 tarball just
> in case you are wandering. This is because 2.4.1.6 and
> 2.4.2.100 came out more then a week ago and the issues weren't
> public yet.
>
> - Backport the errorgui from HEAD, easier then fixing
> the bugs. This is the ~/.xsession-errors security
> fix mentioned above.
>
> - Actually insure /tmp/.ICE-unix (#118878)
>
> - Fix some crashes in main daemon. This is the XDMCP crashes
> mentioned above.
>
> - Fix the language checking code to not mess up when LC_ALL
> and LC_MESSAGES are not the same
>
>
> Highlights of 2.4.2.101:
>
> - Memory profiling of the graphical greeter by not keeping
> around info (pixmaps) which we won't need. On the circles
> theme this saves about 6megs on the circles theme.
> Also cache pixmaps in the graphical greeter which reduces
> the disk rattling we need to do to start up. Plus a bit
> of just performance profiling should reduce CPU usage of
> the graphical greeter quite a bit too.
>
> - Update the manual, especially the theme section
>
> - The UserAuthDir now works in a much saner way. If the
> directory is not tilde expanded, then we treat it just
> like /tmp and use random filenames.
>
> - Prevent a minor DoS attack (apps being coerced to fill
> up the home dir) by intercepting the output from the
> session and only writing to the ~/.xsession-errors
> file a maximum of 80*2500 bytes.
>
> - The user lists in the face browsers and the gdmsetup are
> now capped at a higher number, but we also cap the time
> that is spent gathering the info at 5 seconds.
>
> - Deal with hypothetical main daemon crashes semi decently
> in the slave.
>
> - Try /dev/fd if /proc/self/fd isn't there for checking
> which FDs are open, should make this work on more platforms
> (in particular FreeBSD)
>
> - Run fbconsole on startup if found, this is a solaris
> thing to prevent console output to corrupt your display
> (Brian Cameron)
>
> - Use the 66 code from session to indicate failure that
> need not display the .xsession-errors file
>
> - Actually read the "active" state for text items
>
> - Break all pam messages (not just the error) at 50
> columns. This is kind of a hack, we need to support
> proper linebreaking in the theme.
>
> - Respect negative coordinates with "-0" in the
> theme
>
> - Display help from the setup program if not running
> from within gdm itself
>
> - The standard config file now has most keys commented out
> so that the internal defaults are used and so that we can
> change those defaults in the future without the user having
> to update the config file.
>
> - Improvements in the cookie generation. Doesn't use
> up all the system entropy but just uses the 16 bytes it
> actually needs (since we just need a 16 byte cookie).
> Plus improve randomness on systems without /dev/random
> and friends.
>
> - Correctly handle out of diskspace on auth handling and
> on the PID file thing.
>
> - Fix the runlevel reading
>
> - Fix possible crash on auth purge
>
> - Fix possible chooser crash
>
> - Fix lots of minor bugs
>
> - Some soptimization to save a nanosecond or two
>
> - Translation updates (Wang Jian, Funda Wang, Christian Rose, Jordi Mallach,
> Danilo Segan, Artur Flinta, Miloslav Trmac, Duarte Loreto, Kostas Papadimas,
> Ales Nyakhaychyk, Laurent Dhima, Christophe Merlet,
> Evandro Fernandes Giovanini, Metin Amiroff, Pauli Virtanen, Dafydd Harries)
>
> 2.4.2.100 SECURITY ADDENDUM:
> Was not part of the original release notes to give distributors a chance
> to update.
>
> - SECURITY: Fixed CAN-2003-0547 which allows any user to read any
> root readable text file on the system by making a symlink from
> ~/.xsession-errors
>
> - SECURITY: Fixed CAN-2003-0548, a crash when chosen host expires.
> DoS only for XDMCP (XDMCP should however be confined to a 'trusted'
> network anyway)
>
> - SECURITY: Fixed CAN-2003-0549, a crash if authorization key name
> is shorter then 18 bytes (that is, not MIT-MAGIC-COOKIE-1)
> DoS only for XDMCP (XDMCP should however be confined to a 'trusted'
> network anyway)
>
> 2.4.2.100 stuff:
>
> - Fix #118878 by actually ensuring /tmp/.ICE-unix
>
> - More doc updates
>
> - Fix up rlimit use and handle cases where we ourself
> hit SIGXCPU and SIGXFSZ. Also handle SIGABRT cleanly
> in the main daemon.
>
> - The error gui uses the same theme as the greeters
>
> - The pam config files don't include the /lib/security
> prefix as apparently it's more kosher to let pam
> find the modules itself
>
> - Fix some crashes in main daemon, fix debug output in places
>
> - A whole pile of minor XDMCP updates
>
> - Fix solaris build (Brian Cameron)
>
> - Limit users in face browsers above 100 not 50
>
> - Remove any mentions of SessionMaxFile as it isn't used anymore
>
> - Some typos fixed (Jordi Mallach)
>
> - Translation updates (Jordi Mallach, Artur Flinta, Christian Rose,
> Miloslav Trmac, Kostas Papadimas, Duarte Loreto, Ole Laursen,
> Danilo Segan, Christian Neumair)
>
> Note: GDM2 was originally written by Martin K. Petersen <mkp mkp net>, and
> has for a while now been maintained by the Queen of England. She is usually
> not responsive to bug reports or feature requests. You can try to send them
> to me however.
>
> Note2: If installing from the tarball do note that make install overwrites
> most of the setup files, all except gdm.conf. It will however save backups
> with the .orig extension first.
>
> Note3: Note3 has been depracated ...
>
> Downloading:
> ============
>
> Webpage: http://www.jirka.org/gdm.html
> http://ftp.gnome.org/pub/GNOME/sources/gdm/2.4/
> ftp://ftp.5z.com/pub/gdm/
>
> Sorry no RPMS. There is a spec file included in the tarball and it may or
> may
> not work (it should, and it did some time ago but I haven't tried it lately).
>
> Have fun,
> (or as in the immortal words of Chema: "Have sex,")
>
> George
>
> PS: I think we're saving electricity in this incredibly hot summer as we
> don't have to heat the fish water. Though it's a few degrees higher then
> should be, but I still sometimes feel like I want to just jump in there to
> cool down. You'd think that living close to the coast in San Diego you never
> need AC. That's another thing we're saving money on. Because if we had AC
> we'd be using it. Then again we're running all the fans we have full time,
> so perhaps we're not saving that much. I'm contemplating crawling into the
> freezer to cool down, but I'm so sweaty, I fear all the sweat would freeze
> and I wouldn't be able to move and get out. Plus the freezer smells like
> bloodworms that we have there for the fish.
_______________________________________________
gnome-hackers mailing list
gnome-hackers gnome org
http://mail.gnome.org/mailman/listinfo/gnome-hackers
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]